Every AP is issued a factory certificate during manufacturing. This cert is used to build the IPSec tunnel. When you whitelist the RAP on the conttoller, you're essentially whitelisting the cert.
Custom certs can be loaded onto the AP for use with IPSec but it's not a common deployment.